Rethinking the Security “Con”

October 11th, 2014

I realized a while back that I had lost the zeal to attend security conferences. I’ve been attending security conferences for a long damn time, as many of you have too. DEF CON, RSA, Shmoo, a whole $HIATLOAD of B-Sides, SANS of course, etc. Lots of smaller ones here and there, too (logistics have prevented me from getting to Derby yet, which makes me a little sad). The number of security conferences being held is off the chart. If you take a look at SECore, you’ll see just how many conferences are going on anywhere in the world at one point or another.

I think it’s gotten out of hand, honestly. Not because security cons are a bad thing, truth be told. Because we’re saying the same damn thing at all of them. The themes are the same, it’s a lot of the same people talking, the talks sometimes even say the exact same thing in different language. I can hear the criticism now. “Shack, that’s bullshit. We learn things at cons.” Mmmm hmmm. Sure you do. You hear what people say, you may find it fascinating, but very rarely will it make an impact on what you do day-to-day. Especially the heaping quantities of “Internet of Things” flaws and “sky is falling” talks about how doomed we all are when our thermostat becomes sentient, remotely takes over our cars, and we all die. Get a grip. It’s interesting, but we have major problems today, they’re a lot damn simpler than any of that “forward looking research”, and we’re still sucking ass at the basic stuff.

If you can’t lock down your desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? If you can’t detect a freaking port scan, let alone a DNS C2 channel, why are you waiting hours in line to hear a talk about hijacking car internals? I am a true believer in lifelong learning, so learning something just for the sake of learning is A-OK with me, I get it. But cons aren’t really helping us accomplish anything, unless they are straight-up training cons. And I don’t mean training your livers, since most cons involve staggering quantities of alcohol. Really, for a lot of folks, I think cons have become a few things:

A way to escape reality. Very few con talks touch on the mundane bullshit that we’re sucking at. They discuss pie-in-the-sky scenarios that involve vendors, “researchers”, and stuff that we can ogle at.

A stand-in for a social life. I have a lot of friends in infosec. I’ve got plenty that aren’t too. I can get shitfaced anytime – I don’t need to wait for a con. Seeing your infosec friends is cool. Going to more and more cons to see those people…well, that’s up to you. But maybe you could get together OUTSIDE a con for once? That’s what real friends do. Plan a trip somewhere that does not involve security. Shocking.

A place where people who don’t actually DO shit for a living can expound on their amazing security philosophy, telling those of us that DO do shit for a living how it’s all shaping up. Please. I know what the hell is going on in security, I live it every day. With a lot of clients. Doing real work.

An egomaniac stomping ground. If you continually got your ass beat in high school, sunlight sets you aflame instantly, and you have deep-seated challenges interacting socially, you can still be a rock god by breaking something and giving a talk on it. This is getting ridiculous. I love smart people, too, but I’m kind of over the “celebrity researcher”. I like people when they’re cool people, not just because they have some amazing “use after free” flaw they presented on.

A “scene whore”…well, scene. It’s COOL to be in infosec, apparently. You can almost predict the tweets when a con starts:
<scene_whore>Arrived! Where’s everyone at? #ConHashtag
…10 min later…
<scene_whore>I’m in the bar at the <con_hotel>! <Picture of alcoholic beverage> #ConHashtag
…20 min later…
<scene_whore>What’s going on? where is everyone? #ConHashtag
Most people are just folks. But being at a security con does not even come close to making you a real infosec professional. Knowing a bunch of people on Twitter doesn’t either. Drinking with people in bars may make you new friends, but still doesn’t mean you can accomplish shit as a security professional. There are even some people I see on Twitter who seem to attend every security conference on the fucking planet. What the hell is your JOB? Does someone pay you to go to cons? It’s SAD…NOT endearing.

This is a rant. I know this. But really, folks, cons are not doing shit for us, aside from giving us some fun times and maybe a handful of interesting talks here and there. If you really get value out of tons of cons, awesome. I would never tell anyone how to live their lives, or what to do with their time. But we are not FIXING ANYTHING. We still have Adobe and Java problems. We still suck at intrusion detection. We still suck at incident response. People are still clicking shit. We don’t know what we don’t know. Pretty much every con I see today won’t even begin to help with any of that. If you’re a pen tester? Sure, you’ll get some new tools, new techniques. But only about 5% of security folks are ACTUAL PENTESTERS. Lots of people like to fake it. But 95% of you are defense folks. Which is probably just fine. So do defense. Get better at fixing stuff. Focus on the boring, the mundane, but incredibly important crap like inventory management, patch management, configuration management, blocking and tackling at the network layer, security awareness, etc. I see almost no talks at cons on “solving this one problem in 10 different ways”. Almost none of you need to worry about hacking an ATM or a car. You DO need to get your backyard cleaned up. It’d be nice to see a conference with the following parameters:

The theme of “we’re failing” is 100% forbidden. No talks accepted, no slides with that, if you say it in your talk you are forced to listen to Barry Manilow albums the rest of the con.

All talks tell us how to fix something. That’s it. And REAL somethings, not some arcane crap that is only a reality for .00000004% of the world.

Absolutely no slides that include references to the Verizon Data Breach report. Verboten.

Every single attendee must write a blog post chronicling at least 5 things they learned. Tactical, “fix shit” things they learned.

No selfies. NONE.

People can only use their real names. Be a human being, and we’ll hang out. I have a real hard time here in 2014 referring to someone as only a “handle”. Call me “Dave” or “Shack” and we’re good. Let’s actually be real professionals. Crazy, right? Imagine if people at law or medical conferences referred to themselves as “D@rk Malpractice L0rd” or “SurgeonZer0”. Please. We’re not in chat rooms, people. And even if we were…that shit is OLD.

It probably won’t happen. There are still some really good efforts and conferences out there – I’m not disparaging the enormous efforts of those who run them. But I think we’re starting to look silly. Security is just a shit show, and we throw booze fests in the name of “research” constantly. Yay us.

I completely agree! We have been through the worst breach count in the past year, with no end in sight. I keep hearing “I went to this Con and that Con” in interviews and conversations, but no one knows how to stop or Detect the BlackPoS or BackOff malware! I have done several articles on my Blog exactly how to detect these easily with Malware Management and Logging using the Windows Logging Cheet Sheet. Cons do not do enough to teach us how to defend or detect such events, they are “Kewl, look what research, hackery, vuln, exploitable thing I did” events and not enough focus at Defending our Networks with REAL actionable items I can take back to work and do. I submit talks to many Cons on these proven techniques, turned down too often (defensive talks are not sexy) yet I still see exploitation and offensive talks and very few if any defensive talks. We need to demand our Cons have 50% defensive talks and less of these ‘great talk but I can’t use this in my job at all talks’. Times have changed and if Cons don’t change to a defensive focus, the InfoSec industry is partly to blame for all the breaches because we are not properly educating our piers with what we know.

I agree with much of your feedback. The definition of a successful conference for me is whether I change the way I do things based on what I learned. A lot (if not most) of what I learn at conferences has nothing to with the talks, but the “hallway track”, including the boozeathons and side events. Those tend to be where the “ebony tower” types (full-time researchers) collide with the folks in the trenches. The arguments and exasperated replies are a great indicator of how ignorant researchers can be of the corporate world (and vice-versa). Conferences help bridge the gap between full-time defense, full-time offense, full-time research, and all of the shades of grey and purple in-between.

Derbycon is a great conference. I took this year off from attending any conferences, but I was still able to watch most of the Derbycon presentations due to their aggressively-friendly sharing model, driven by Adrian Crenshaw and his team: http://www.irongeek.com/i.php?page=videos/derbycon4/mainlist

As awesome as Derbycon is, I attended the previous three years because it was a chance to hear from a community that is under-represented at conferences like RSA and Defcon. Derbycon is reachable by car for a large portion of the US and is relatively cheap. Derbycon also provides a way for aspiring security professionals to get experience presenting to their peers (stable talks). It ends up being an educational experience for everyone who attends, regardless of their current role (IS or IT or driving trucks), and as a conference, is still the one I recommend most. Derbycon has great talks, but more importantly has networking and community interaction opportunities that are hard to find at other events.

Not all conferences provide the benefits listed above. I feel like RSA, Black Hat, Defcon, and most of the larger conferences are missing the community feel, and the “cool kids” tend to cluster up and escape the madness of the conference. I learn little at these conferences, regardless of how good the talks are, or who attends, because the timeslot competition and general schedule insanity doesn’t leave time for the important conversations to happen.

I dont mean to plug Derbycon so much as describe why I think some conferences are getting this right and why the talks are less important than how the rest of the conference is organized.

@Michael Gough
Re: Specific fixes and defenses. There are conferences that focus on these areas (typically, malware-focused conferences sponsored by AV organizations). There are few conferences with strong “defender” tracks in general, mostly because defense is hard, and solutions are easy to shoot down. I give huge props to anyone willing to do a “defense” talk due to the sheer amount of “but what if the attacker…” questions they will receive regarding their suggestions. As the adage goes, an attacker only has to know about one vulnerability, while a defender has to know about all of them.

I agree with what you are saying, but how do we actually fix it (so we don’t sound like grumpy old men)? I’d like to see requirements that presentations have two obligatory slides:

1) Why should you care?
This slide should detail the likely impact of the topic being discussed on their typical audience members life or business. In real and specific terms.
2) What can you do tomorrow about this?
Provide the audience with specific actions they can take when they return to the real world to minimize the impact/risk of the topic to their organization.

If the topic is such that there is no real answer to one & two above then the talk is more of a learning for the sake of learning (which I have no problem with) presentation vs teaching something timely.

However I have experienced the value of hallway-con, how can we open that to everyone? What if we could find a way to team a pure researcher with someone from the trenches to present together? One could talk about the complete theoretical impact of the topic and the other dissect it down to what is manageable and containable and provide practical advice…

I agree mostly but must disagree with your last point about using real names for two reasons. The first is as valid now as it was when I started using a handle, legal protection. Vendors try to silence researchers all the time by threatening or actually filing lawsuits. This despite a researcher doing nothing even remotely wrong. There is also often pressure from employers to take credit for research not actually done on employer time. In these two cases using a handle is a wise decision.

Second, after you have given enough talks or used a handle long enough the handle begins to develop a certain reputation. Enough reputation that it makes sense to continue using the handle even when you no longer need the legal protection. Once an identity is attached a specific name it is difficult to separate the two.

Do you really expect Gordon Sumner to go around introducing himself as Gordon instead of Sting? Should Billy Idol say “Hi, I’m Mr. Broad”? There are several very high profile people in infosec who solely use handles that sound like real names. If I told you my name was Sandy you would you take it at face value that it was my actual name and not a handle? Why can’t you do the same thing with Space?

A name is a very personal identifier. In todays climate of identity theft a real name can potentially hold a lot of power over a person. So forgive me if when I get introduced to someone who I don’t know, or even don’t know of, if I claim that my name is John or Steve, or Count, or even Space. I will choose what information I wish to reveal about myself and to whom. If you don’t want to drink with me because I choose to maintain a little personal privacy then chances are I probably won’t want to drink with you either.

“The theme of “we’re failing” is 100% forbidden. No talks accepted, no slides with that, if you say it in your talk you are forced to listen to Barry Manilow albums the rest of the con.”

This is the only thing I disagree with. The appropriate reaction to failure isn’t to ignore it, it’s to understand the scope, the scale, and the nature of our failures and address them appropriately. Security will never be a one size fits all solution, so understanding the how failures inform solutions in each environment is key to fixing them appropriately.

I’d instead suggest (because we’re fixing things!) that failures must be paired up with solutions. The talks I would want to see and present, the solutions I would want to put in learn about at a con like that, are meaningless without understanding the nuances of failures and the environments they take place in. The counter to the theme of failure isn’t to stop talking about failure, it’s to make sure we talk about how that failure informs solutions.

Otherwise you end up with the same thing that we have already, which is security people throwing out unrealistic, ineffective advice, because they don’t understand how the failure and the environment in which that failure takes place informs the best solution.

I agree with many points here, and I appreciate the article. This struck a cord with me.

A colleague (now employee, actually) and I once put our heads together to see what it would take to get funding and plan for a local conference (Dallas) devoted entirely to custom use case development. It began as an idea after several ArcSight Protect conferences (now HP Protect), and we decided we’d love to follow in the footsteps of B-Sides to create a conference for the people, not for vendors, but with a 100% focus on infosec achievements within enterprise environments and with zero vendor push.

We measure the success of a conference, similar to you described, based on whether we feel we came back with innovative ideas around how to do things differently or better. Between SIEM tools, log management systems, automation tools, workflow tools, open source and big data tools, we figure there is an infinite supply of interesting material for presentation on things we can ACTUALLY deliver in our own jobs.

@HD Moore
Thanks for the response, HD. I think I miss a bit of the “community vibe”, too, but I do think we need to downplay some of the “ivory tower” and get people thinking more about solutions. The problems today are too great to just keep adding more and more offense to the mix – I get it, it’s fun. But a lot of the talks are less practical, too “preachy”, or both. i’ve heard good stuff about Derby, and Dave K and crew work hard to put on a good event. I just hope we can pare down the sheer number, and get back to more quality and real discussion (hopefully more focused on defense and solving issues vs. just breaking things). –D

@Conan
Conan, thanks for the note. I think you missed some of my point – it’s the *theme* of “failing” we need to drop like a bad habit. Failure can teach us things, we all know this. But we rarely see talks with “here’s a failure, now let me spend the other 45 minutes showing us all how to fix it”. Security is kind of like the airplane crash to me – if one crashes, we all FREAK since it’s terrifying…but the stats on crashes are incredibly low. I think we win more than we lose, but all these breaches lately are highlighting our shortcomings, and have people thinking it’s all “doom and gloom”. It’s not…and we’ll get there. But cons focused on nothing more than how things are broken won’t really solve this.

@Space Rogue
I respect your thoughts here, of course, Space/Rogue/Space Rogue/etc. You and your crew are all legends – in fact, guys I looked up to enormously coming up in the field. I can’t really disagree with any of your points – yes, anonymity has its place, and yes, sometimes handles acquire their own persona and fame, as it were. I’ll argue that vendors won’t likely try to shut you down and threaten you if you aren’t talking about breaking their stuff, which is a good bit of my emphasis in the post, though (more on fixing, less on breaking). I remember the Linn fiasco of 2004, I was there too. Plenty of other great examples. And I’m not talking about catering to vendors – just suggesting that if a) you aren’t trying to protect your identity at a con, b) you aren’t worried about vendors lashing out at you, and c) you’d like to get some attention and meet people using your real name, then that’d be nice. My sense of paranoia these days has nothing to do with my name, but that’s my own choice, as you have yours. Incidentally, I’ll be in your neck of the woods the first week of November, and I would love to have a drink with you if you’re around. By whatever name. –D

@admin
“I think we win more than we lose, but all these breaches lately are highlighting our shortcomings, and have people thinking it’s all “doom and gloom”. ”

I don’t think we’re winning at all – massive compromises are still taking place with simple, low level attacks and minimal technical expertise. Most pentesters don’t need more than a list of default creds, a scanner, and pass the hash to make it to domain admin. Worse, when those pentesters do succeed, they’ve probably done nothing to help address the core problems that allowed them to own the network in the first place.

We’re not at the point where major corporations are effectively defending their POS systems against basic attacks. In general, the larger and older your corporation, the less likely you are to have effective defense due to incredible amounts of security and technical debt (there are some exceptions in some industries). Most aren’t even catching up to that debt.

You can expect that someone with minimal skill can pop any major retailer. ATM/POS systems still run on Windows XP, oftentimes sharing networks with guest users of wifi within a bank. We’re still using ancient versions of SSL that are vulnerable to predictable, expected attacks. That’s not even getting into the 0day conversation, that certificates and trust on the internet is totally broken, that 50% of heartbleed vulnerable servers are still unpatched, that there’s hardware out there that lives forever that it’s impossible by design to patch…

With that in mind, our solutions are really “boring” – educate, make tools that allow people with a minimum of ability to program without causing security flaws. Assist corporations with re-writing legacy applications in an efficient, business feasible way. Give up on technical perfection, understand risk, impact, and do the boring patching and monitoring work. Check your logs. The most effective, honest defensive talk would go like this: “I’m going to shut up now, and ask each of you to write a secure introduction to coding that is just as usable as what you get when you google “teach me to code”, and then SEO it to the top of google results”, followed by 50 minutes of each attendee working together to do just that. Defense isn’t realized by individual rockstars shining in their moments of sexy technical brilliance, it will be won by thousands of faceless soldiers draining the swamp one handful at a time. Winning at defense is a blue collar pursuit.

I will say that we have succeeded to a degree at pieces of technical defense, and a well architected company can be defensible, if they were lucky enough to retain some of the very limited defensive security talent out there that can also speak business in a meaningful way and actually listens to them. But that’s a hell of a lot of caveats, and those caveats mean that even the technical success we have is insignificant in light of our inability to actually use it to protect data.

I don’t think that we can consider ourselves to be succeeding when the first notification of data theft a user gets is nudes showing up on the internet. You use an internet service, the only defense Jane Q Public has is “don’t put anything out there you don’t want to be public forever, and don’t let anyone else put anything out there either”.

There are really interesting defensive problems out there, but addressing those almost always requires ignoring the drowning masses to speak to the enlightened few.

But, for all of that – I’ll still be here draining the swamp one handful at a time. It’s a thing worth doing, and it’s rewarding for that reason alone. I’m just don’t think there’s any sense in not being completely honest and realistic about the depth, breadth, and realities of the problems.

Oh, good God…THANK YOU! I’d add to that, along with each of the 5 things, they have to include how what they learned changed what they do on a day-to-day basis. Don’t have a blog? No problem…write down your list, and send it to a buddy that does, or comment to someone else’s blog post about the con, and use your real name.

I stopped even wanting to attend BlackHat/DefCon for the reasons you laid out in your post; presentation content had nothing to do with the title (“SimpleNomad” once spent his time in a school circle talking wicca…), and I know that the BH conference area overlooks the European pool, fellas…but really…get a life.

If a conference is supposed to be about, say, DFIR, I want to hear about DFIR things that are going to either help me do my job, or change the way I do it. If the presentations are good, I’ll find a way to squeeze something out of it that I can use. I attended a recent vendor conference in DC, and drove two hours through traffic to attend. The very first presentation in the IR track should’ve been part of a developer track. Even though the presentation had to do with malware on a Windows system, I was really struggling to figure out what the “threat intel” was so that I could use it.

With the infosec community, one of the biggest “misses” we have is feedback. The reason conferences are the way they are is because most attendees do nothing more that say, “great con!”, if anything at all. I think that most folks who attend the conferences are there for many of the reasons you list in your post, and are glad that they didn’t have to get up in front of people to speak. Reviews of conferences are much like the reviews of books that we see online…”chapter 1 covers…chapter 2 covers, blah, blah, blah”. Okay, forget the fact that the conference has an agenda listed online, and the book has a table of contents…and we already know all that. What we don’t see is, how did the conference affect what we do? Without that kind of feedback, we’re going to keep getting the same conferences over and over again.